The numbers are in, and they are not close.
April 2026 is now the single worst month in the history of cryptocurrency security. DefiLlama confirmed 30 separate exploit incidents resulting in approximately $651 million in losses β a figure that represents more value stolen in one calendar month than the entire annual hack total for 2022, a year previously considered catastrophic.
Two incidents dominated: the Drift Protocol hack ($285 million, April 1) and the KelpDAO exploit ($293 million, April 18). Together they account for 89% of the monthβs losses. But even setting those two aside, the remaining 28 incidents still produced approximately $73 million in losses β a month that would itself rank among the worst in recent memory.
North Koreaβs fingerprints are on the largest attacks. TRM Labs estimated that DPRK-linked operations accounted for 76% of all 2026 crypto hack losses through April, with total DPRK crypto theft since 2017 now exceeding $6 billion. Within 48 hours of the KelpDAO exploit alone, more than $8.4 billion in deposits left Aave, and total DeFi TVL dropped by over $13 billion.
This is the full picture of April 2026: what happened, why it happened, and what it tells us about where crypto security stands.
The Two Catastrophic Attacks
Drift Protocol: $285 Million β April 1
The Drift Protocol hack was the culmination of a six-month social engineering operation attributed to North Koreaβs UNC4736 threat actor (also tracked as Lazarus Group subunit Gleaming Pisces / Citrine Sleet).
Beginning in the fall of 2025, operatives posing as a quantitative trading firm attended crypto conferences in multiple countries, built professional relationships with Drift contributors, and gradually positioned themselves to manipulate the protocolβs Security Council β the multi-signature governance body responsible for emergency changes.
The technical mechanism was multi-layered:
- A fabricated token called CarbonVote Token (CVT) was seeded with wash trading to create an apparent price history
- Driftβs oracle infrastructure was tricked into treating CVT as legitimate collateral worth hundreds of millions
- Security Council members were manipulated into pre-signing transactions that embedded hidden instructions transferring administrative control to attacker-controlled addresses
- Solanaβs durable nonces feature was used to stage withdrawal transactions weeks in advance
On April 1, the attacker exercised that pre-positioned control. In 12 minutes, $285 million in SOL, USDC, and derivatives was drained. Within hours, the funds were bridged to Ethereum and began passing through laundering infrastructure consistent with prior DPRK operations.
The code was audited. The governance was not. No smart contract vulnerability was exploited β only human trust.
KelpDAO: $293 Million β April 18
Seventeen days after Drift, KelpDAO became the single largest DeFi exploit of 2026, surpassing Drift by a narrow margin.
KelpDAO issues rsETH, a liquid restaking token backed by ETH deposits, across more than 20 blockchain networks via LayerZero cross-chain messaging. The attack targeted a fundamental configuration flaw: KelpDAOβs LayerZero verifier was configured as 1-of-1 β meaning a single node was responsible for validating cross-chain messages before releasing funds.
Attackers compromised two of the RPC nodes that served as data sources for this validator and injected fraudulent messages falsely claiming to originate from KelpDAOβs legitimate bridge contracts. The protocolβs validation layer, expecting a single confirmation from its one configured verifier, accepted the spoofed messages as authentic.
The result: 116,500 rsETH tokens (approximately 18% of the tokenβs total circulating supply) were minted without backing, worth approximately $293 million at the time of the exploit.
The unbacked rsETH was used to borrow real ETH from Aave, leaving the lending protocol with impaired collateral. As the attack was confirmed, panic rippled through the DeFi ecosystem. Protocols including Aave, SparkLend, and Fluid froze markets for rsETH assets. rsETHβs price collapsed, and questions arose about the integrity of rsETH reserves on every Layer 2 network where KelpDAO operated.
Attribution: Elliptic and Chainalysis both linked the KelpDAO exploit to Lazarus Group infrastructure based on post-theft fund movement patterns.
The Other 28 Incidents
Beyond Drift and KelpDAO, April 2026 contained an additional 28 confirmed exploits producing approximately $73 million in combined losses:
| Protocol | Loss | Attack Type |
|---|---|---|
| Wasabi Protocol | $4.5M | Admin key compromise |
| Rhea Finance | $18.4M | Oracle manipulation |
| Grinex | $15M | Hot wallet compromise |
| Volo Vault | $3.5M | Reentrancy exploit |
| Sweat Foundation | $3.5M | Smart contract logic flaw |
| Hyperbridge | $2.5M | Cross-chain message spoofing |
| Various others | ~$25M | Mix of phishing, rug pulls, contract exploits |
Wasabi Protocol β drained on April 30, the final day of the month β was particularly notable. Attackers compromised Wasabiβs deployer admin key, granted themselves admin privileges, and upgraded vault contracts to malicious versions on both Ethereum and Base networks, draining approximately $4.55 million. The attack closely mirrors the logic of the Drift hack in miniature: the vulnerability was not in the code but in key management.
Why April Was Different
The sheer number of incidents β one per day across the month β raises the question of whether Aprilβs density represents a statistical anomaly or a structural deterioration in DeFi security.
Several factors contributed:
North Koreaβs operational tempo has accelerated. TRM Labs noted that North Korean hackers are moving faster than in prior years β shorter preparation periods, more simultaneous operations, and an expanding use of AI tools to accelerate reconnaissance and code review. The Drift operationβs six-month timeline was, per TRMβs analysis, shorter than comparable prior operations.
Cross-chain infrastructure remains the weakest link. KelpDAOβs exploit joins a long list of cross-chain bridge attacks β Wormhole ($325M, 2022), Ronin ($625M, 2022), Nomad ($190M, 2022), Orbit Chain ($82M, 2024). Bridge security is consistently the most consequential attack surface in DeFi because bridges hold large concentrations of assets and rely on complex message-passing architectures that are difficult to secure.
Governance security is not keeping pace with protocol security. Both Drift and Wasabi were exploited not through contract bugs but through governance and key management failures. Smart contract auditing has become standard practice in DeFi. Governance security β timelock requirements, multi-sig configurations, key storage policies, social engineering training β has not.
The yield environment creates urgency. Higher DeFi yields in 2025-2026 have attracted larger TVL back into the space. More TVL means larger potential payouts for successful exploits, which increases attacker motivation and potentially justifies longer, more expensive preparatory operations.
The North Korea Problem Is Getting Worse
The context behind Aprilβs numbers requires confronting a fact the crypto industry has been slow to internalize: North Korea is now the dominant threat actor in cryptocurrency security, and it is not operating like a criminal organization.
DPRK cyber operations function as a state revenue mechanism, used to fund weapons development programs under international sanctions. The sophistication and resourcing of these operations reflects state backing, not individual criminal enterprise. They have:
- Dedicated teams running multi-month social engineering campaigns
- Infrastructure for large-scale money laundering through mixers, OTC desks, and chain-hopping
- Legal expertise to navigate sanctions compliance gaps in receiving jurisdictions
- Technical capability spanning smart contract exploitation, oracle manipulation, and social engineering
The $6+ billion stolen since 2017 represents an extraordinary sustained campaign with no historical parallel in cybercrime. The UN estimates that crypto theft funds a material portion of DPRKβs missile and nuclear programs.
Addressing this threat requires coordination between the crypto industry, governments, and international law enforcement at a level that has not yet materialized. Individual protocol security improvements help at the margins. They do not solve the underlying problem.
The DeFi Ecosystemβs Response
Aave led a coordinated industry response to the KelpDAO fallout, working with other lending protocols to assess rsETH collateral exposure and determine appropriate market freeze conditions. The speed of the coordinated response β compared to earlier DeFi crises β reflected improved communication infrastructure across the ecosystem.
Drift Protocol announced a recovery fund and is cooperating with TRM Labs, Chainalysis, and law enforcement on fund tracking. Recovery prospects remain low given the sophistication of DPRK laundering operations.
LayerZero published a post-mortem on the KelpDAO vulnerability, emphasizing that the 1-of-1 verifier configuration was a choice made by KelpDAOβs development team, not a flaw in the LayerZero protocol itself. This framing β that bridge infrastructure providers are not responsible for how their products are configured β will likely be contested as standards around bridge configuration security are developed.
Wasabi Protocol paused operations and began an incident response, though the relatively small $4.5 million loss allows for a credible recovery path.
What This Means for Crypto Security in 2026
April 2026βs record numbers confirm several trends that the industry can no longer treat as emerging:
Social engineering has replaced code exploitation as the primary attack vector. The largest thefts now consistently involve manipulation of human operators rather than bugs in code. This requires an entirely different security discipline that most DeFi protocols have not yet developed.
Governance is the attack surface. Timelocks, multi-sig configurations, Security Council compositions, key management practices β these are now primary security parameters, not administrative details. Protocols that have not stress-tested their governance against adversarial scenarios are not secure, regardless of their contract audit status.
Cross-chain infrastructure requires a new security standard. 1-of-1 verification configurations should be regarded as equivalent to no verification. Bridge protocols need minimum security standards equivalent to fintech-grade requirements: N-of-M multi-party validation, geographic distribution of validator infrastructure, circuit breakers on large withdrawals, and delayed finality for high-value transfers.
The industry needs shared threat intelligence. The conference appearance patterns of DPRK front organizations, the wallet addresses of known Lazarus Group infrastructure, the social media personas used in social engineering β this information exists within blockchain analytics firms and law enforcement, but it does not reach the individual protocol contributors who are the actual targets. That gap needs to close.
Looking Ahead
May 2026 begins with the crypto industry absorbing the full weight of Aprilβs losses. The immediate questions are practical: how much of the $651 million can be recovered, which protocols are most exposed to copycat attacks using similar techniques, and whether the industryβs security culture will change substantively or produce another round of post-mortem pledges.
The historical answer is not encouraging. DeFi has had record-breaking hack months before β 2022, in particular, produced multiple billion-dollar incidents β and the response has been incremental rather than structural.
What makes the current moment potentially different is the concentration of loss in a single category: governance and operational security rather than contract bugs. The industry has a well-developed playbook for contract security. It does not yet have one for the threat that is now doing the most damage.
April was the record. May through December 2026 will determine whether the industry treats it as the alarm it is.
This article is provided for informational purposes only and does not constitute financial or legal advice.
Sources:
- April Crypto Hacks Hit Record, Exploit Losses Reach $651M β BanklessTimes
- Defillama Confirms April 2026 as Cryptoβs Most-Hacked Month β Bitcoin.com News
- KelpDAO exploited for $292 million β CoinDesk
- Wasabi Protocol drained of $4.5M in admin key compromise β CoinDesk
- North Korea accounts for 76% of 2026 crypto hack losses β The Block
- Inside the KelpDAO Bridge Exploit β Chainalysis
